The UK Supreme Court has issued its decision in Various claimants v Morrisons Supermarkets1 regarding when an employer can be vicariously liable for a data breach resulting from the theft and disclosure of employee data by a disgruntled employee.

Whilst the case is significant because of its focus on vicarious liability, it is also of note as it was the first case under a group litigation order to come before the UK courts. It was brought under the UK Data Protection Act 1998 (the “DPA”), now replaced by the Data Protection Act 2018. As far as Irish law is concerned, under GDPR, Article 80 allows data subjects to mandate a consumer protection body to bring compensation claims on their behalf, so we could see similar litigation before the Irish courts.

The facts

Morrisons Supermarkets (“Morrisons”) operates a chain of supermarkets and employed Andrew Skelton on its internal audit team. In July 2013, Skelton received a verbal warning after disciplinary proceedings for minor misconduct. Following those proceedings, he harboured an irrational grudge against his employer, which led him to publish personal information about Morrisons employees on the internet (the “affected employees”). Skelton also sent the file anonymously to three UK newspapers, purporting to be a concerned member of the public who had found it online. The newspapers did not publish the information, instead alerting Morrisons, which took immediate steps to have the data removed from the internet and to protect its employees, including by alerting police. Skelton was arrested, prosecuted and imprisoned.

The claims

The respondents, the affected employees, brought proceedings against Morrisons personally and on the basis that it was vicariously liable for Skelton’s acts. Their claims were for breach of statutory duty under the DPA, misuse of private information, and breach of confidence. The High Court held that Skelton had acted in the course of his employment on the basis of Mohamud v WM Morrison Supermarkets plc2 (“Mohamud”). The High Court

1. concluded that Morrisons bore no primary responsibility but was vicariously liable on each basis claimed; and

2. rejected Morrisons’ argument that vicarious liability was inapplicable given the DPA’s content and its foundation in an EU Directive.

Morrisons’ subsequent appeal to the Court of Appeal (“CoA”) was dismissed. It then appealed to the UK Supreme Court.

The Supreme Court appeal:

1. The vicarious liability issue:

The primary issue before the Supreme Court was whether Morrisons was vicariously liable for Skelton’s conduct. The Supreme Court reviewed the law on vicarious liability, notably the Supreme Court’s approach in Mohamud and held that the High Court and the CoA had misapplied the law.

The “close connection” test

The close connection approach to vicarious liability set out in Dubai Aluminium Co Ltd v Salaam3, was applied by the Supreme Court. In order for liability to third parties to be imposed on the employer, the wrongful conduct must be so closely connected with acts which the employee was authorised to do that, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment4.

The Supreme Court overturned the lower court’s findings and held that the close connection test had not been satisfied because

a) the online disclosure of the data was not part of Skelton’s “field of activities”, as it was not an act which he was authorised to do;

b) it was not sufficient for the imposition of vicarious liability that the employment gave Skelton the opportunity to commit the wrongful act, or that the employee was “doing acts of the same kind as those which it was within his authority to do”;

c) whilst there was a “close temporal link and an unbroken chain of causation” between the provision of data to Skelton in the course of his employment and its subsequent disclosure, “a temporal or casual connection does not in itself satisfy the close connection test”;

d) it was highly material whether Skelton was acting on his employer’s business or for purely personal reasons. In this case it was clear he was not engaged in furthering Morrisons’ business when he committed the wrongdoing. Rather, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.

2. The data protection points

The data protection issue in the appeal was whether the DPA excluded the imposition of vicarious liability for breaches of its own provisions, committed by an employee as a controller, or for misuse of private information and breach of confidence. Although the Supreme Court concluded that it was not strictly necessary to consider this in light of its findings on vicarious liability it was desirable to express a view.

Morrisons argued that the DPA impliedly excluded the vicarious liability of an employer. Morrisons referred in particular to section 13(1) of the DPA, which provided that

“[an] individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”5.

Morrisons argued therefore that the DPA made it clear, that liability was to be imposed only on controllers, and only where they had acted without reasonable care. That statutory scheme was inconsistent with the imposition of a strict liability on the employer of a controller, whether for that person’s breach of the DPA or for his breach of duties arising at common law or in equity. Since it was common ground that Morrisons performed the obligations incumbent upon them as controllers, and that Skelton was a controller in his own right in relation to the data which disclosed, it followed that Morrisons could not be under a vicarious liability for his breach of the duties incumbent upon him.

Ultimately, the Supreme Court found Morrisons’ argument unpersuasive. It held that imposing statutory liability on a controller like Skelton is not inconsistent with the co-existence of vicarious liability at common law, whether for breach of the DPA or for a common law or equitable wrong, as the DPA says nothing about a controller’s employer.

The position in Ireland

The close connection test has been held by the Irish Supreme Court to represent the law in Ireland6. Although the judgment of the English courts are not binding in Ireland, they are generally regarded as persuasive. Taking all of this into account it is likely the Morrisons’ Supreme Court decision would be instructive before the Irish courts should similar issues arise for determination before them, whether arising under the GPDR or the Irish Data Protection Act 2018 or from any other breach or wrongdoing by an employee.

The UK Supreme Court decision will be welcomed by employers as there was speculation that the lower courts decisions meant a shift towards employers being held out as insurers for employees. However, the ruling on the Data Protection Act and vicarious liability should serve as a warning to employers, that they may be held vicariously liable for data breaches committed by an employee who is a controller.